HSBC confirms security breach exposing 2.7 million credit cards

HSBC has confirmed a security breach exposing the details of 2.7 million credit card accounts. However,
the bank has made a decision not to reissue cards after saying that the data exposed is not enough
to make fraudulent transactions.

The compromise (limited to the international bank's business in Turkey) exposed credit card
numbers, expiration dates, names and the associated HSBC account number of those card holders.

The security breach was detected internally and has not been linked to any fraudulent transactions,
as a notice by HSBC Turkey explains.

The bank said it "identified the attack in the past week through its internal controls".

All too often, serious security breaches are only caught by third parties or government
agencies, sometime after they've been comitted, rather than by the victim itself.

"A couple of things stand out-– the attack happened last week, and they’ve caught it already,
and they caught it themselves," Ford said. "This is rather impressive, given that the vast majority
of security breaches are detected by third parties, and often not for several months."

HSBC Turkey has notified the Banking Regulation and Supervision Agency of Turkey and
other relevant authorities about the security breach.

An investigation aimed at identifying the criminals behind the hack has begun. In the meantime
banking customers should continue to use their account as normal, HSBC Turkey advises.

The bank said that it is "not possible to print cards and withdraw money from ATMs with the
compromised information" and likewise "not possible to make any transactions through internet
banking or telephone banking with the compromised information".

"Our customers can continue to use internet banking and telephone banking confidently," it
added.

Ford said this response was reasonable in the circumstances. "HSBC is underscoring that cards
will not be re-issued at this time, and that the compromised data will not impact Internet
Banking, ATM transactions, and telephone banking services.

Customers can continue using their credit cards with confidence. This is because 'card present'
transactions require additional information that would be encoded on the magnetic strip, and
for 'card not present' transactions, the card security code (CVC or CVV2) would be required to transact
business.”

Although cybercrooks may be missing several pieces of information needed to carry out fraud,
there's a very real possibility that they might attempt to hoodwink prospective marks into handing
over this information through phishing scams or similar trickery.

Extra vigilance would be prudent and we'd be inclined to support HSBC Turkey customers who
went further and requested a reissued card.